From owner-freebsd-stable Wed Jan 16 11: 5:29 2002 Delivered-To: freebsd-stable@freebsd.org Received: from mail4.nec.com (dns4.nec.com [131.241.15.4]) by hub.freebsd.org (Postfix) with ESMTP id DE83A37B404 for ; Wed, 16 Jan 2002 11:05:16 -0800 (PST) Received: from netkeeper2.sj.nec.com (netkeeper2.sj.nec.com [131.241.31.10]) by mail4.nec.com (/) with ESMTP id g0GJ5BM07553 for ; Wed, 16 Jan 2002 11:05:11 -0800 (PST) Received: from ccrl.sj.nec.com (localhost [127.0.0.1]) by netkeeper2.sj.nec.com (8.9.1a/8.9.1) with ESMTP id LAA08906 for ; Wed, 16 Jan 2002 11:05:08 -0800 (PST) Received: from localhost (hirosige [131.241.79.26]) by ccrl.sj.nec.com (8.9.3/8.9.2) with ESMTP id LAA12612 for ; Wed, 16 Jan 2002 11:05:09 -0800 (PST) Date: Wed, 16 Jan 2002 11:05:09 -0800 (PST) Message-Id: <20020116.110509.05717273.hino@ccrl.sj.nec.com> To: stable@freebsd.org Subject: 4.5-RC1: Why sshd require opie for SSH version 2? From: Koji Hino Organization: C&C Research Laboratories (CCRL), NEC USA, Inc. X-Mailer: Mew version 2.2rc1 on Emacs 21.1 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Hi, # I am not on the list currently, so please CC me if you need more info. I'm just testing 4.5-RC1. I installed to clear disk, and configure it minimum: ifconfig/DNS-resolver staff, activate NIS, set NIS-domainname, and add +::.. to passwd files. It seems to work well on Dell Precision 220 (http://docs.us.dell.com/docs/systems/ws220/en/ug/specs.htm), except that kernel probe message don't show fancy printing about system chipset: Intel 820. It may be so minor :-). After doing some tests, I found that connecting to this 4.5-RC1 box from other machine by OpenSSH (without RSA/DSA key, nor rhost*auth, assuming to use plain password to login), requires opie to login, though /etc/opiekeys, and /etc/skeykeys are both size 0. If I start openssh with flag '-1', which means to use OpenSSH version 1 protocol, it works fine: require plain password. I checked 4.4-RELEASE machine, and found that it works fine without '-1' flag, and even with '-2', it works. Is this an intended behavior? Some info: Client side: OS: SunOS 5.5.1 with almost latest Sun's recommended patches SSH client: openssh-3.0.1p1 SSH client config: only comments in /etc/ssh/ssh_config, no ~/.ssh/*config SSH client compile time config option: env CFLAGS=-O ./configure --prefix=/usr/Local --sysconfdir=/etc/ssh --localstatedir=/var --disable-suid-ssh --with-zlib=/usr/Local/lib --with-ssl-dir=/usr/Local/ssl --without-pam --without-rsh --with-xauth=/usr/Local/X11R6/bin/xauth --with-prngd-socket=/var/run/egd-pool --with-ipv4-default --without-bsd-auth Verbose messages from ssh: 1) ssh to 4.5-RC1 OpenSSH_3.0.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1414 geteuid 1414 anon 1 debug1: Connecting to tanner [131.241.79.205] port 22. debug1: temporarily_use_uid: 1414/20 (e=1414) debug1: restore_uid debug1: temporarily_use_uid: 1414/20 (e=1414) debug1: restore_uid debug1: Connection established. debug1: identity file /home/kensett/hino/.ssh/identity type 0 debug1: identity file /home/kensett/hino/.ssh/id_rsa type -1 debug1: identity file /home/kensett/hino/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202 debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.0.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-cbc hmac-md5 none debug1: kex: client->server aes128-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 118/256 debug1: bits set: 980/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'tanner' is known and matches the DSA host key. debug1: Found key in /home/kensett/hino/.ssh/known_hosts:3 debug1: bits set: 1082/2049 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password,keyboard-interactive debug1: next auth method to try is publickey debug1: try privkey: /home/kensett/hino/.ssh/id_rsa debug1: try privkey: /home/kensett/hino/.ssh/id_dsa debug1: next auth method to try is keyboard-interactive otp-md5 170 al4268 ext S/Key Password: debug1: packet_send2: adding 32 (len 17 padlen 15 extra_pad 64) debug1: authentications that can continue: publickey,password,keyboard-interactive otp-md5 453 al8647 ext S/Key Password: 2) ssh -v -1 to 4.5-RC1 OpenSSH_3.0.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1414 geteuid 1414 anon 1 debug1: Connecting to tanner [131.241.79.205] port 22. debug1: temporarily_use_uid: 1414/20 (e=1414) debug1: restore_uid debug1: temporarily_use_uid: 1414/20 (e=1414) debug1: restore_uid debug1: Connection established. debug1: identity file /home/kensett/hino/.ssh/identity type 0 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBSD localisations 20011202 debug1: match: OpenSSH_2.9 FreeBSD localisations 20011202 pat ^OpenSSH debug1: Local version string SSH-1.5-OpenSSH_3.0.1p1 debug1: Waiting for server public key. debug1: Received server public key (768 bits) and host key (1024 bits). debug1: Host 'tanner' is known and matches the RSA1 host key. debug1: Found key in /home/kensett/hino/.ssh/known_hosts:4 debug1: Encryption type: 3des debug1: Sent encrypted session key. debug1: Installing crc compensation attack detector. debug1: Received encrypted confirmation. debug1: Trying RSA authentication with key '/home/kensett/hino/.ssh/identity' debug1: Server refused our key. debug1: Doing challenge response authentication. debug1: No challenge. debug1: Doing password authentication. hino@tanner's password: 2) ssh -v to 4.4-RELEASE OpenSSH_3.0.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Seeding random number generator debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: restore_uid debug1: ssh_connect: getuid 1414 geteuid 1414 anon 1 debug1: Connecting to free1 [131.241.79.106] port 22. debug1: temporarily_use_uid: 1414/20 (e=1414) debug1: restore_uid debug1: temporarily_use_uid: 1414/20 (e=1414) debug1: restore_uid debug1: Connection established. debug1: identity file /home/kensett/hino/.ssh/identity type 0 debug1: identity file /home/kensett/hino/.ssh/id_rsa type -1 debug1: identity file /home/kensett/hino/.ssh/id_dsa type -1 debug1: Remote protocol version 1.99, remote software version OpenSSH_2.3.0 FreeBSD localisations 20010713 debug1: match: OpenSSH_2.3.0 FreeBSD localisations 20010713 pat ^OpenSSH_2\.3\.0 Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.0.1p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client 3des-cbc hmac-md5 none debug1: kex: client->server 3des-cbc hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST_OLD sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: dh_gen_key: priv key bits set: 204/384 debug1: bits set: 1074/2049 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'free1' is known and matches the DSA host key. debug1: Found key in /home/kensett/hino/.ssh/known_hosts:5 debug1: bits set: 1059/2049 debug1: ssh_dss_verify: signature correct debug1: kex_derive_keys debug1: newkeys: mode 1 debug1: SSH2_MSG_NEWKEYS sent debug1: waiting for SSH2_MSG_NEWKEYS debug1: newkeys: mode 0 debug1: SSH2_MSG_NEWKEYS received debug1: done: ssh_kex2. debug1: send SSH2_MSG_SERVICE_REQUEST debug1: service_accept: ssh-userauth debug1: got SSH2_MSG_SERVICE_ACCEPT debug1: authentications that can continue: publickey,password debug1: next auth method to try is publickey debug1: try privkey: /home/kensett/hino/.ssh/id_rsa debug1: try privkey: /home/kensett/hino/.ssh/id_dsa debug1: next auth method to try is password hino@free1's password: Best regards, ==================================================================== Koji HINO(HINO is my family name) C&C Research Laboratories, NEC USA, Inc. E-mail: hino@ccrl.sj.nec.com ---------- DISCLAIMER: this message is the author's personal opinion and does not constitute the support, opinion, or policy of NEC USA, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message